SlideShare a Scribd company logo

Demystifying Apple Pay and TouchID Implementation

Sebastián Guerrero Selma
Sebastián Guerrero Selma

This document discusses Apple Pay and Touch ID security. It summarizes that Apple Pay uses tokenization to securely store payment credentials in the Secure Enclave instead of actual credit card details. Touch ID fingerprints are also stored encrypted in the Secure Enclave and are never sent to Apple. The document also demonstrates how to use debugging and hooking techniques on a jailbroken device to analyze the internals of how Apple Pay and Touch ID work.

Engineering
1 of 54
Download to read offline
Demystifying Apple”Pie”&TouchID
Disclaimer • Apple Pay research is work in progress. • Yes, a jailbroken device is required. • No 0-day vulnerabilities in this talk. • This talk is about Apple Pay internals and TouchID implementation. Download the slides from: twitter.com/0xroot
Agenda •Part I: Introduction to Apple Pay. •Part II: Demystifying Apple Pay. •Part III: Messing with runtime. •Part IV: TouchID implementation caveats.
whoami Sebas Guerrero (@0xroot) Sr. Mobile Security Analyst at NowSecure https://github.com/0xroot sguerrero@nowsecure.com
IntroductiontoApplePay
WhatisApplePay? “Mobile payments service and digital wallet app that uses NFC to initiate secure payment transactions between contactless payment terminals and Apple iOS devices.”
HowcanIuseit? • Pay in-store Purchase by just tapping the phone against a contactless POS and placing the finger on the TouchID • Pay in mobile apps Pay for items within mobile apps that support ApplePay
SE&HCE • Secure Element (SE) - Tamper-resistant platform capable of securely hosting applications and their confidential and cryptographic data in accordance with the rules and security requirements. It can be considered a chip that offers a dynamic environment to store data securely. • Host Card Emulation (HCE) - Assumes that any data stored on a handset is vulnerable and therefore restricts the storage of sensitive data to host or ‘cloud’ databases, managed to a high security standard. Preventing unauthorized access depends on four pillars: limited use key, tokens, device fingerprinting and transaction risk analysis.
DemystifyingApplePay
WhatcomposesApplePay? SEnclave &TouchID ApplePay Servers Passbook Secure Element NFC Controller
WhatisstoredintheSE? “Every time a consumer adds a credit card to the Passbook application, the real payment credentials like the PAN, Expiration Date, CVV, etc. are not stored into the SE. Apple Pay instead stores a token and some associated data inside the SE.”
Whatisthetokenused? “We can consider a token like a fake credit card number. Which is de-tokenized before being transmitted on to the Issuer for authorization. The Acquirer is the responsible for tokenization and de- tokenization. But, Apple Pay uses the standard created by EMVCo, being the payment network the one that performs de-tokenization.”
Howarethetokensprovided? Customer Apple Pay Apple Pay Servers Issuer Bank Token Service Provider Secure Element Credit card PAN / Exp. Date / CVV PAN / Exp. Date / CVV Token / Token-key PAN / Exp. Date / CVV Token / Token-key / cvv-key Token / Token-key / cvv-key - token-key will be used to generate a dynamic cryptogram - cvv-key will be used to generate a dynamic security code
Paymenttokenformat PKPaymentToken Object Transaction ID Payment Network PaymentToken Data Signature Header Encrypted Payment Data Amount Cardholder name …. Payment Processing Data Top-Level Structure Key Value Description data Payment data dictionary, Base64 encoded as string Encrypted Payment Data header Header dictionary Additional information used to decrypt and verify the payment. signature Detached PKCS #7 signature, Base64 encoded as string Signature of the payment and header data. version String Version information about the payment token.
Paymenttokenformat Payment Data Keys Key Value Description applicationPrimaryAccount Number string Device-specific account number of the card that funds this transaction. applicationExpirationDate date (string) Card expiration date in the format YYMMDD. currencyCode string ISO 4217 numeric currency code. transactionAmount number Transaction amount. Key Value Description cardholderName string Cardholder name. deviceManufacturerIdentifi er string Hex-encoded device manufacturer identifier. paymentDataType string Either ‘3DSecure’ or ‘EMV’. paymentData payment data dictionary Detailed payment data
Interceptingpaymentoperations “According to EMV standard, during a payment operation, sensitive information like card-holder name, credit card number, expiration date and cvv are transmitted.” proxmark3> hf 14a list Recorded Activity Start | End | Src | Data —---------|-----------|-----|-------- 0 | 992 | Rdr | 52 298272 | 299264 | Rdr | 52 596560 | 597552 | Rdr | 52 894832 | 895824 | Rdr | 52 1193120 | 1194112 | Rdr | 52 1491392 | 1492384 | Rdr | 52 1789680 | 1790672 | Rdr | 52 2087952 | 2088944 | Rdr | 52 2386240 | 2387232 | Rdr | 52 2684496 | 2685488 | Rdr | 52 2982800 | 2983792 | Rdr | 52 3281088 | 3282080 | Rdr | 52 3579360 | 3580352 | Rdr | 52 …
Tokende-tokenization { "data":“2DzU9u6byIY4qCs3lW4KgK3JWC6Ac+x…..……WkFco=“, "header": { "ephemeralPublicKey":“MFkwEwYHKoZIzj0…………bA==“, "publicKeyHash": "spzGX6upCJhx5UD8vCo1+LcIi7+fkxEUaVmhbX18cJM=", "transactionId": "79ccd07eb432f80067d8e5bbc4c38ee1def7fcc1827f6ba5b63bf47b283ebf89" }, "signature":“MIAGCSqGSIb3DQEHAqtNGjj9I………….AAAAAAAA=“, "version": "EC_v1" } { "applicationExpirationDate": "190131", "applicationPrimaryAccountNumber": "370295XXXXX5435", "currencyCode": "840", "deviceManufacturerIdentifier": "XXXXXXXXXX", "paymentData": { "emvData":“nycBgJ82AgDCnyYIG2vuQydGkMafEA…….Lnvab4=“ }, "paymentDataType": "EMV", "transactionAmount": 100 } Github: applepay_crypto_demo
Whathappensinapayment? “Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction.” - From the press release The Device Account Number represents the Token, the One-time Unique Number represents the dynamic cryptogram and the Dynamic Security Code represents the dynamic CVV
SecureEnclave • Part of the A7 and A8 chips used for Touch ID. According to Apple, within the Secure Enclave, the fingerprint data is stored in an encrypted form which can only be decrypted by a key available by the SecureEnclave thus making fingerprint data walled off from the rest of A7/A8 chip. • It’s a flashable 4MB processor named the Secure Enclave Processor (SEP). • It contains its own OS called SEP OS and there is an utility called SEPUtil that can be used to communicate with it. • It’s contained in the ramdisk of H7SURamDisk.dmg which is located in /usr/standalone/ update/ramdisk and there in /usr/libexec. • Is necessary to strip off the first 0x1b (27) bytes to make the DMG readable. RootǝdCON
SecureEnclave • We believe that all the information being stored in the SecureEnclave is erased once the device is turned off. • Inside biometrickitd we find at memory address ‘000000010001DD3C’ a ‘bl sub_10001376c’ instruction. Such method is the one used to upload all the information to the SecureEnclave. • Probably a good starter point to figure out how things work in the SecureEnclave. RootǝdCON
Messingwithruntime
TouchID “Fingerprint recognition feature, designed by Apple and available on the iPhone 5S, 6 and 6+. Which has as purpose to allow users to unlock their device, as well as make purchases in the various Apple stores and to authenticate Apple Pay online or in apps.”
TouchIDProcess Sense for scannable object Scan object Construct input map based on scan results Construct lower resolution input pattern Provide input pattern and template pattern Run match comparisons of input pattern and template pattern Provide identity of possible match results Run match comparison of input map with possible match identities Provide result
Whathappensunderthehood • First Obstacle What is happening at filesystem level when the user interacts with the TouchID component and a new fingerprint is added/removed into/from the system? • Workaround FileMon utility, made by J. Levin, into steroids thanks to Pancake. Lets the user to peek behind the scenes what iOS Daemons are doing. • Goal We obtain the binaries involved and their operations performed when the Apple Pay technology or TouchID component are used.
Identifyingbinaries • SpringBoard framework binary generates sort of interesting images. • biometrickitd daemon creates and modifies the content of a file called TemplateList.cat [E] Error copying /tmp/_private_var_root_Library_Catacomb_TemplateList.cat.tmp
Overridingunlink carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# unlink = dlsym(RTLD_DEFAULT,“unlink") cy# unlink = @encode(void *(char *, char *))(unlink) cy# var oldu = {} cy# var log = [] cy# MS.hookFunction(unlink, function(path){ cy> log.push([path]); cy> return 0; cy> }, oldu) • Second Obstacle Unlink method avoid us from copying the resource, since it removes the link named by the path parameter from its directory right after before we can copy it. • Workaround Override its implementation and return always false. • Goal Obtain a copy of the files generated.
dyld_shared_cache • Third Obstacle Since iPhoneOS 3.1 all default (private and public) libraries have been compiled into a big cache file. All binaries or libraries from /System/Library/ Frameworks and /System/Library/PrivateFrameworks are now located in / System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX • Workaround Makes use of jtool utility, extracting a specific binary from the cache, or dumping all the binaries at once. • Goal Access to all the binaries, and the ability to dump their classes/methods and RE their source code. jtool -extract UIKit path/to/dyld_shared_cache jtool -lv cache_armv7 | cut -c 24- | tail +5 | while read line ; do jtool -extract $line cache_armv7 ; done
Putyourseat-belt • Fourth Obstacle The binary contains in its entitlement the sandbox profile ‘seat-belt’, which is a kernel extension that restricts a set of features from being used for some processes. • Workaround Use ldid utility to extract the entitlements and modify the ‘seat-belt’ field of a binary. • Goal The ability to attach cycript to the process and dump the information from the variables and modify its behavior at runtime <key>seatbelt-profiles</key> <array> <string>seld</string> </array> <key>tlebtaes-profiles</key> <array> <string>seld</string> </array> ThugLife
TouchIDSecurity “The resulting map of nodes is stored without any identity information in an encrypted format that can only be read by the Secure Enclave, and is never sent to Apple or backed up to iCloud or iTunes.” Partially true
EnablingTouchIDDebugLog • biometrickitd binary contains a string reference to ‘/var/mobile/Library/Logs/ CrashReporter/BioLog’. Such file is generated by the class ‘BioLog’ which is disabled by default • Save the following ‘com.apple.biometrickitd.plist’ file under the ‘/Library/Managed Preferences/ mobile/‘ path. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>debugLogEnabled</key> <true/> </dict> </plist>
EnablingTouchIDDebugLog
EnablingTouchIDDebugLog
Binaries&methods • iOS 8.0 headers available at: http://developer.limneos.net/ • Most interesting binaries: • Biometric operations - BiometricKit.framework, biometrickitd, Preferences.app • NFC Controller - nfcd, NearField.framework, libnfshared.dylib, PN548_HAL.dylib, PN548_API.dylib, PN548.dylib • Secure enclave - seld, seputil binary (https://theiphonewiki.com/wiki/ Seputil)
BiometricKitIdentity Represents the enrolled fingerprints on the device. Properties for the user-defined name and UUID are available.
BLTemplateList Retrieves the template associated to each identity enrolled into the device
TemplateInfo Retrieves information associated to each Template that represents the fingerprint.
BioLogBase Contains all the logs dumped for the TouchID component
BiometricKitXPCServer
TemplateList.cat • Located at /private/var/root/Library/Catacomb/ TemplateList.cat • Is the template that contains all the information about the fingerprints added into the system. • Some information is readable, but most interesting one is Base64 encoded and encrypted (?)
TemplateList.cat
GottaCatch’emall! • decodeCatacombDataV1 • pullDebugImageData • pullImageMetadata • pullMatchTopologyData • setAppleMesaSEPLoggingLevel • getData / readBinary / getApplications / getCertificates • decodeRootSecurityDomainResponse / dumpAppData
TouchIDimplementationcaveats
LocalAuthentication Application LocalAuthentication TouchID Cred. Management User Space Operating System Secure Enclave
LASecurity • LocalAuthentication Trust the OS • Keychain Trust the Secure Enclave No direct access to secure enclave No access to registered fingers No access to fingerprint image
• Shared Libraries Check with Otool if LocalAuthentication.framework is present. • canEvaluatePolicy Preflights an authentication policy to see if its possible for authentication to succeed. • evaluatePolicy Evaluates the specified policy. Block that evaluates a boolean statement. • Policy LAPolicyDeviceOwnerAuthenticationWithBiometrics No passcode authentication Fallback to application’s own password entry UI LocalAuthenticationAPI
TouchIDAuthentication - (void)evaluatePolicy { LAContext *context = [[LAContext alloc] init]; __block NSString *msg; // show the authentication UI with our reason string [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:NSLocalizedString(@“8=====D~", nil) reply: ^(BOOL success, NSError *authenticationError) { if (success) { msg =[NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_SUCCESS", nil)]; } else { msg = [NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_WITH_ERROR", nil), authenticationError.localizedDescription]; } [self printResult:self.textView message:msg]; }]; }
TangoDown carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# var oldm = {} cy# MS.hookMessage(LAContext, @selector(evaluatePolicy:localizedReason:reply:), function(self, reason, block) { block(YES, nil); }, oldm);
Demo#1
What’soutthere?
Tamperingthebinary NOP ALL THE THINGS
Demo#2
ItsMagic
• ApplePay technology is pretty solid, and well structure, maybe not all the statements made by Apple are true, but the global security deployed is robust. • A jailbroken device is required to at least scratch the surface, and even with that, the information obtained is not highly sensitive. • TouchID integration works better with Keychain ACLs, the integration with LocalAuthentication.framework is not recommended to protect your assets. Conclusions
ThankYou special thanks to @abelenko, @trufae (pancake), @revskills (F. Alonso) and J. Levin (@technologeeks) Sebas Guerrero @0xroot sguerrero@nowsecure.com

Recommended

Gadhvi nikhil.21
Gadhvi nikhil.21Gadhvi nikhil.21
Gadhvi nikhil.21Rajesh Patel
 
Market Research Report on India Active Pharmaceutical Ingredient (API)
Market Research Report on India Active Pharmaceutical Ingredient (API) Market Research Report on India Active Pharmaceutical Ingredient (API)
Market Research Report on India Active Pharmaceutical Ingredient (API) Ajjay Kumar Gupta
 
Marketing Strategy and Analysis of bazaarsoftware.com
Marketing Strategy and Analysis of bazaarsoftware.comMarketing Strategy and Analysis of bazaarsoftware.com
Marketing Strategy and Analysis of bazaarsoftware.comNileshNilay
 
Marketing intern ppt
Marketing intern pptMarketing intern ppt
Marketing intern pptAshwin Durai
 
MBA project on PEPSI
MBA project on PEPSIMBA project on PEPSI
MBA project on PEPSIsatish varma vejerla
 
Summer internship project - Retailer satisfaction level regarding dairy produ...
Summer internship project - Retailer satisfaction level regarding dairy produ...Summer internship project - Retailer satisfaction level regarding dairy produ...
Summer internship project - Retailer satisfaction level regarding dairy produ...Harshit Soni
 
Iv gpfoods
Iv gpfoodsIv gpfoods
Iv gpfoodsANWARULHAQUE35
 
R40 La Rinconada 211023.pdf
R40 La Rinconada 211023.pdfR40 La Rinconada 211023.pdf
R40 La Rinconada 211023.pdfWinston1968
 

Recommended

Gadhvi nikhil.21
Gadhvi nikhil.21Gadhvi nikhil.21
Gadhvi nikhil.21Rajesh Patel
 
Market Research Report on India Active Pharmaceutical Ingredient (API)
Market Research Report on India Active Pharmaceutical Ingredient (API) Market Research Report on India Active Pharmaceutical Ingredient (API)
Market Research Report on India Active Pharmaceutical Ingredient (API) Ajjay Kumar Gupta
 
Marketing Strategy and Analysis of bazaarsoftware.com
Marketing Strategy and Analysis of bazaarsoftware.comMarketing Strategy and Analysis of bazaarsoftware.com
Marketing Strategy and Analysis of bazaarsoftware.comNileshNilay
 
Marketing intern ppt
Marketing intern pptMarketing intern ppt
Marketing intern pptAshwin Durai
 
MBA project on PEPSI
MBA project on PEPSIMBA project on PEPSI
MBA project on PEPSIsatish varma vejerla
 
Summer internship project - Retailer satisfaction level regarding dairy produ...
Summer internship project - Retailer satisfaction level regarding dairy produ...Summer internship project - Retailer satisfaction level regarding dairy produ...
Summer internship project - Retailer satisfaction level regarding dairy produ...Harshit Soni
 
Iv gpfoods
Iv gpfoodsIv gpfoods
Iv gpfoodsANWARULHAQUE35
 
R40 La Rinconada 211023.pdf
R40 La Rinconada 211023.pdfR40 La Rinconada 211023.pdf
R40 La Rinconada 211023.pdfWinston1968
 
SIP REPORT ON ZYDUS WELLNESS
SIP REPORT ON ZYDUS WELLNESS SIP REPORT ON ZYDUS WELLNESS
SIP REPORT ON ZYDUS WELLNESS Rishabh Rawat
 
Summer Internship Report - FCEL (Ready To Eat Snacks) - Copy
Summer Internship Report - FCEL (Ready To Eat Snacks) - CopySummer Internship Report - FCEL (Ready To Eat Snacks) - Copy
Summer Internship Report - FCEL (Ready To Eat Snacks) - CopyOm Raheja
 
Summer Internship Project Report in Modern Trade at Britannia Industries Limi...
Summer Internship Project Report in Modern Trade at Britannia Industries Limi...Summer Internship Project Report in Modern Trade at Britannia Industries Limi...
Summer Internship Project Report in Modern Trade at Britannia Industries Limi...Suneeth Menon
 
Book my show project report
Book my show project reportBook my show project report
Book my show project reportSheelendra Pratap Singh
 
final vaibhav rcf
final vaibhav rcffinal vaibhav rcf
final vaibhav rcfvaibhav mohite
 
Summer Internship Report on Marketing strategies of Airtel.
Summer Internship Report on Marketing strategies of Airtel.Summer Internship Report on Marketing strategies of Airtel.
Summer Internship Report on Marketing strategies of Airtel.Aditya Bhatt
 
Summer Internship Project MBA at Britannia Industry Limited
Summer Internship Project MBA at Britannia Industry LimitedSummer Internship Project MBA at Britannia Industry Limited
Summer Internship Project MBA at Britannia Industry LimitedDalpat Parihar
 
R9 La Rinconada 120323.pdf
R9 La Rinconada 120323.pdfR9 La Rinconada 120323.pdf
R9 La Rinconada 120323.pdfWinston1968
 
Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)
Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)
Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)RAJWANT KAUR
 
Flavour Salt - Business Plan
Flavour Salt - Business PlanFlavour Salt - Business Plan
Flavour Salt - Business PlanSarabjeet Singh Dua
 
Report on 7UP REVIVE @ Varun beverages ltd, PepsiCo India
Report on 7UP REVIVE @ Varun beverages ltd, PepsiCo IndiaReport on 7UP REVIVE @ Varun beverages ltd, PepsiCo India
Report on 7UP REVIVE @ Varun beverages ltd, PepsiCo IndiaJubin James
 
MBA marketing (summer internship report)
MBA marketing (summer internship report)MBA marketing (summer internship report)
MBA marketing (summer internship report)MANUJ SINGH
 
Sun pharma- A complete company review, analysis of crisis and realistic recom...
Sun pharma- A complete company review, analysis of crisis and realistic recom...Sun pharma- A complete company review, analysis of crisis and realistic recom...
Sun pharma- A complete company review, analysis of crisis and realistic recom...TilikaChawda
 
Benadryl cough syrup
Benadryl cough syrupBenadryl cough syrup
Benadryl cough syrupPooja Awasthi
 
New product and brand development report @navinfotech bhopal
New product and brand development report @navinfotech bhopalNew product and brand development report @navinfotech bhopal
New product and brand development report @navinfotech bhopalPriya Dubey
 
Usability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsJosiah Renaudin
 
NFC attacks
NFC attacksNFC attacks
NFC attacksPeter Swedin
 
Apple Pay
Apple PayApple Pay
Apple PayNguyet Bui
 
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиВадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиAvitoTech
 
Jamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS SecurityJamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS Securitycentralohioissa
 
Apple pay
Apple payApple pay
Apple payHelal Al-Helal
 
Apple Pay
Apple PayApple Pay
Apple PayChitpong Wuttanan
 

More Related Content

What's hot

SIP REPORT ON ZYDUS WELLNESS
SIP REPORT ON ZYDUS WELLNESS SIP REPORT ON ZYDUS WELLNESS
SIP REPORT ON ZYDUS WELLNESS Rishabh Rawat
 
Summer Internship Report - FCEL (Ready To Eat Snacks) - Copy
Summer Internship Report - FCEL (Ready To Eat Snacks) - CopySummer Internship Report - FCEL (Ready To Eat Snacks) - Copy
Summer Internship Report - FCEL (Ready To Eat Snacks) - CopyOm Raheja
 
Summer Internship Project Report in Modern Trade at Britannia Industries Limi...
Summer Internship Project Report in Modern Trade at Britannia Industries Limi...Summer Internship Project Report in Modern Trade at Britannia Industries Limi...
Summer Internship Project Report in Modern Trade at Britannia Industries Limi...Suneeth Menon
 
Summer Internship Report on Marketing strategies of Airtel.
Summer Internship Report on Marketing strategies of Airtel.Summer Internship Report on Marketing strategies of Airtel.
Summer Internship Report on Marketing strategies of Airtel.Aditya Bhatt
 
Summer Internship Project MBA at Britannia Industry Limited
Summer Internship Project MBA at Britannia Industry LimitedSummer Internship Project MBA at Britannia Industry Limited
Summer Internship Project MBA at Britannia Industry LimitedDalpat Parihar
 
R9 La Rinconada 120323.pdf
R9 La Rinconada 120323.pdfR9 La Rinconada 120323.pdf
R9 La Rinconada 120323.pdfWinston1968
 
Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)
Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)
Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)RAJWANT KAUR
 
Report on 7UP REVIVE @ Varun beverages ltd, PepsiCo India
Report on 7UP REVIVE @ Varun beverages ltd, PepsiCo IndiaReport on 7UP REVIVE @ Varun beverages ltd, PepsiCo India
Report on 7UP REVIVE @ Varun beverages ltd, PepsiCo IndiaJubin James
 
MBA marketing (summer internship report)
MBA marketing (summer internship report)MBA marketing (summer internship report)
MBA marketing (summer internship report)MANUJ SINGH
 
Sun pharma- A complete company review, analysis of crisis and realistic recom...
Sun pharma- A complete company review, analysis of crisis and realistic recom...Sun pharma- A complete company review, analysis of crisis and realistic recom...
Sun pharma- A complete company review, analysis of crisis and realistic recom...TilikaChawda
 
Benadryl cough syrup
Benadryl cough syrupBenadryl cough syrup
Benadryl cough syrupPooja Awasthi
 
New product and brand development report @navinfotech bhopal
New product and brand development report @navinfotech bhopalNew product and brand development report @navinfotech bhopal
New product and brand development report @navinfotech bhopalPriya Dubey
 

What's hot (15)

SIP REPORT ON ZYDUS WELLNESS
SIP REPORT ON ZYDUS WELLNESS SIP REPORT ON ZYDUS WELLNESS
SIP REPORT ON ZYDUS WELLNESS
 
Summer Internship Report - FCEL (Ready To Eat Snacks) - Copy
Summer Internship Report - FCEL (Ready To Eat Snacks) - CopySummer Internship Report - FCEL (Ready To Eat Snacks) - Copy
Summer Internship Report - FCEL (Ready To Eat Snacks) - Copy
 
Summer Internship Project Report in Modern Trade at Britannia Industries Limi...
Summer Internship Project Report in Modern Trade at Britannia Industries Limi...Summer Internship Project Report in Modern Trade at Britannia Industries Limi...
Summer Internship Project Report in Modern Trade at Britannia Industries Limi...
 
Book my show project report
Book my show project reportBook my show project report
Book my show project report
 
final vaibhav rcf
final vaibhav rcffinal vaibhav rcf
final vaibhav rcf
 
Summer Internship Report on Marketing strategies of Airtel.
Summer Internship Report on Marketing strategies of Airtel.Summer Internship Report on Marketing strategies of Airtel.
Summer Internship Report on Marketing strategies of Airtel.
 
Summer Internship Project MBA at Britannia Industry Limited
Summer Internship Project MBA at Britannia Industry LimitedSummer Internship Project MBA at Britannia Industry Limited
Summer Internship Project MBA at Britannia Industry Limited
 
R9 La Rinconada 120323.pdf
R9 La Rinconada 120323.pdfR9 La Rinconada 120323.pdf
R9 La Rinconada 120323.pdf
 
Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)
Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)
Summer Training Report on G.S Radiators Ltd. Ludhiana (Punjab)
 
Flavour Salt - Business Plan
Flavour Salt - Business PlanFlavour Salt - Business Plan
Flavour Salt - Business Plan
 
Report on 7UP REVIVE @ Varun beverages ltd, PepsiCo India
Report on 7UP REVIVE @ Varun beverages ltd, PepsiCo IndiaReport on 7UP REVIVE @ Varun beverages ltd, PepsiCo India
Report on 7UP REVIVE @ Varun beverages ltd, PepsiCo India
 
MBA marketing (summer internship report)
MBA marketing (summer internship report)MBA marketing (summer internship report)
MBA marketing (summer internship report)
 
Sun pharma- A complete company review, analysis of crisis and realistic recom...
Sun pharma- A complete company review, analysis of crisis and realistic recom...Sun pharma- A complete company review, analysis of crisis and realistic recom...
Sun pharma- A complete company review, analysis of crisis and realistic recom...
 
Benadryl cough syrup
Benadryl cough syrupBenadryl cough syrup
Benadryl cough syrup
 
New product and brand development report @navinfotech bhopal
New product and brand development report @navinfotech bhopalNew product and brand development report @navinfotech bhopal
New product and brand development report @navinfotech bhopal
 

Viewers also liked

Usability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsJosiah Renaudin
 
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиВадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиAvitoTech
 
Jamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS SecurityJamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS Securitycentralohioissa
 
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...AvitoTech
 
Андрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyondАндрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyondAvitoTech
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app developmentDusan Klinec
 
[Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till [Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till Dynvibe
 
2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)Masabi
 
Apple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian marketApple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian marketWilliam Belle
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommTien Hoang
 
A quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan TemplateA quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan TemplateKameel Vohra
 
Apple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business ModelApple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business ModelStrategyzer
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 
From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board Strategyzer
 
Apple Pay's Obvious Value Proposition
Apple Pay's Obvious Value PropositionApple Pay's Obvious Value Proposition
Apple Pay's Obvious Value PropositionStrategyzer
 

Viewers also liked (20)

Usability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile Apps
 
NFC attacks
NFC attacksNFC attacks
NFC attacks
 
Apple Pay
Apple PayApple Pay
Apple Pay
 
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасностиВадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
Вадим Дробинин. Защищаем себя и пользователей: руководство по безопасности
 
Jamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS SecurityJamie Bowser - A Touch(ID) of iOS Security
Jamie Bowser - A Touch(ID) of iOS Security
 
Apple pay
Apple payApple pay
Apple pay
 
Apple Pay
Apple PayApple Pay
Apple Pay
 
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
Кортунов Никита. Как ускорить разработку приложений или есть ли жизнь после P...
 
Андрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyondАндрей Юткин. Media Picker — to infinity and beyond
Андрей Юткин. Media Picker — to infinity and beyond
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
 
[Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till [Case study] Apple Pay, the first French users go to the till
[Case study] Apple Pay, the first French users go to the till
 
2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)2014.10 apple pay webinar (2)
2014.10 apple pay webinar (2)
 
Apple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian marketApple Pay & its potential impact on the Australasian market
Apple Pay & its potential impact on the Australasian market
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcomm
 
A quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan TemplateA quick ONE PAGE Business Plan Template
A quick ONE PAGE Business Plan Template
 
Apple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business ModelApple Pay's Uncopyable Business Model
Apple Pay's Uncopyable Business Model
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
Mobile payment
Mobile paymentMobile payment
Mobile payment
 
From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board From Idea to Business with Lean Startup & the Progress Board
From Idea to Business with Lean Startup & the Progress Board
 
Apple Pay's Obvious Value Proposition
Apple Pay's Obvious Value PropositionApple Pay's Obvious Value Proposition
Apple Pay's Obvious Value Proposition
 

Similar to Demystifying Apple Pay and TouchID Implementation

Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchJonathan LeBlanc
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfDEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfWlamir Molinari
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101wireharbor
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitiesYiannis Hatzopoulos
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
 
EthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptxEthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptxWijdenBenothmen1
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsKoan-Sin Tan
 
Security's Once and Future King
Security's Once and Future KingSecurity's Once and Future King
Security's Once and Future KingKapil Sachdeva
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStackpiyush_harsh
 
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...Hackito Ergo Sum
 
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...PROIDEA
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
mDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appmDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appPetr Dvorak
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapFelipe Prado
 

Similar to Demystifying Apple Pay and TouchID Implementation (20)

Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
 
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfDEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
 
eSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalitieseSmartlock - an antipiracy dongle with integrated DRM functionalities
eSmartlock - an antipiracy dongle with integrated DRM functionalities
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
 
EthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptxEthereumBlockchainMarch3 (1).pptx
EthereumBlockchainMarch3 (1).pptx
 
Exploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source ToolsExploring Your Apple M1 devices with Open Source Tools
Exploring Your Apple M1 devices with Open Source Tools
 
Security's Once and Future King
Security's Once and Future KingSecurity's Once and Future King
Security's Once and Future King
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStack
 
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phon...
 
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
mDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appmDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking app
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
 

Recently uploaded

UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
Autonomous emergency braking system (aeb) ppt.ppt
Autonomous emergency braking system (aeb) ppt.pptAutonomous emergency braking system (aeb) ppt.ppt
Autonomous emergency braking system (aeb) ppt.pptbibisarnayak0
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm Systemirfanmechengr
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxsiddharthjain2303
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Industrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptIndustrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptNarmatha D
 
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdfHafizMudaserAhmad
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgsaravananr517913
 
Configuration of IoT devices - Systems managament
Configuration of IoT devices - Systems managamentConfiguration of IoT devices - Systems managament
Configuration of IoT devices - Systems managamentBharaniDharan195623
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the weldingMuhammadUzairLiaqat
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptMadan Karki
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Erbil Polytechnic University
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 

Recently uploaded (20)

UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Autonomous emergency braking system (aeb) ppt.ppt
Autonomous emergency braking system (aeb) ppt.pptAutonomous emergency braking system (aeb) ppt.ppt
Autonomous emergency braking system (aeb) ppt.ppt
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm System
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Industrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptIndustrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.ppt
 
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
 
Configuration of IoT devices - Systems managament
Configuration of IoT devices - Systems managamentConfiguration of IoT devices - Systems managament
Configuration of IoT devices - Systems managament
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Designing pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptxDesigning pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptx
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the welding
 
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.pptIndian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.ppt
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 

Demystifying Apple Pay and TouchID Implementation

  • 2. Disclaimer • Apple Pay research is work in progress. • Yes, a jailbroken device is required. • No 0-day vulnerabilities in this talk. • This talk is about Apple Pay internals and TouchID implementation. Download the slides from: twitter.com/0xroot
  • 3. Agenda •Part I: Introduction to Apple Pay. •Part II: Demystifying Apple Pay. •Part III: Messing with runtime. •Part IV: TouchID implementation caveats.
  • 4. whoami Sebas Guerrero (@0xroot) Sr. Mobile Security Analyst at NowSecure https://github.com/0xroot sguerrero@nowsecure.com
  • 6. WhatisApplePay? “Mobile payments service and digital wallet app that uses NFC to initiate secure payment transactions between contactless payment terminals and Apple iOS devices.”
  • 7. HowcanIuseit? • Pay in-store Purchase by just tapping the phone against a contactless POS and placing the finger on the TouchID • Pay in mobile apps Pay for items within mobile apps that support ApplePay
  • 8. SE&HCE • Secure Element (SE) - Tamper-resistant platform capable of securely hosting applications and their confidential and cryptographic data in accordance with the rules and security requirements. It can be considered a chip that offers a dynamic environment to store data securely. • Host Card Emulation (HCE) - Assumes that any data stored on a handset is vulnerable and therefore restricts the storage of sensitive data to host or ‘cloud’ databases, managed to a high security standard. Preventing unauthorized access depends on four pillars: limited use key, tokens, device fingerprinting and transaction risk analysis.
  • 11. WhatisstoredintheSE? “Every time a consumer adds a credit card to the Passbook application, the real payment credentials like the PAN, Expiration Date, CVV, etc. are not stored into the SE. Apple Pay instead stores a token and some associated data inside the SE.”
  • 12. Whatisthetokenused? “We can consider a token like a fake credit card number. Which is de-tokenized before being transmitted on to the Issuer for authorization. The Acquirer is the responsible for tokenization and de- tokenization. But, Apple Pay uses the standard created by EMVCo, being the payment network the one that performs de-tokenization.”
  • 13. Howarethetokensprovided? Customer Apple Pay Apple Pay Servers Issuer Bank Token Service Provider Secure Element Credit card PAN / Exp. Date / CVV PAN / Exp. Date / CVV Token / Token-key PAN / Exp. Date / CVV Token / Token-key / cvv-key Token / Token-key / cvv-key - token-key will be used to generate a dynamic cryptogram - cvv-key will be used to generate a dynamic security code
  • 14. Paymenttokenformat PKPaymentToken Object Transaction ID Payment Network PaymentToken Data Signature Header Encrypted Payment Data Amount Cardholder name …. Payment Processing Data Top-Level Structure Key Value Description data Payment data dictionary, Base64 encoded as string Encrypted Payment Data header Header dictionary Additional information used to decrypt and verify the payment. signature Detached PKCS #7 signature, Base64 encoded as string Signature of the payment and header data. version String Version information about the payment token.
  • 15. Paymenttokenformat Payment Data Keys Key Value Description applicationPrimaryAccount Number string Device-specific account number of the card that funds this transaction. applicationExpirationDate date (string) Card expiration date in the format YYMMDD. currencyCode string ISO 4217 numeric currency code. transactionAmount number Transaction amount. Key Value Description cardholderName string Cardholder name. deviceManufacturerIdentifi er string Hex-encoded device manufacturer identifier. paymentDataType string Either ‘3DSecure’ or ‘EMV’. paymentData payment data dictionary Detailed payment data
  • 16. Interceptingpaymentoperations “According to EMV standard, during a payment operation, sensitive information like card-holder name, credit card number, expiration date and cvv are transmitted.” proxmark3> hf 14a list Recorded Activity Start | End | Src | Data —---------|-----------|-----|-------- 0 | 992 | Rdr | 52 298272 | 299264 | Rdr | 52 596560 | 597552 | Rdr | 52 894832 | 895824 | Rdr | 52 1193120 | 1194112 | Rdr | 52 1491392 | 1492384 | Rdr | 52 1789680 | 1790672 | Rdr | 52 2087952 | 2088944 | Rdr | 52 2386240 | 2387232 | Rdr | 52 2684496 | 2685488 | Rdr | 52 2982800 | 2983792 | Rdr | 52 3281088 | 3282080 | Rdr | 52 3579360 | 3580352 | Rdr | 52 …
  • 17. Tokende-tokenization { "data":“2DzU9u6byIY4qCs3lW4KgK3JWC6Ac+x…..……WkFco=“, "header": { "ephemeralPublicKey":“MFkwEwYHKoZIzj0…………bA==“, "publicKeyHash": "spzGX6upCJhx5UD8vCo1+LcIi7+fkxEUaVmhbX18cJM=", "transactionId": "79ccd07eb432f80067d8e5bbc4c38ee1def7fcc1827f6ba5b63bf47b283ebf89" }, "signature":“MIAGCSqGSIb3DQEHAqtNGjj9I………….AAAAAAAA=“, "version": "EC_v1" } { "applicationExpirationDate": "190131", "applicationPrimaryAccountNumber": "370295XXXXX5435", "currencyCode": "840", "deviceManufacturerIdentifier": "XXXXXXXXXX", "paymentData": { "emvData":“nycBgJ82AgDCnyYIG2vuQydGkMafEA…….Lnvab4=“ }, "paymentDataType": "EMV", "transactionAmount": 100 } Github: applepay_crypto_demo
  • 18. Whathappensinapayment? “Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction.” - From the press release The Device Account Number represents the Token, the One-time Unique Number represents the dynamic cryptogram and the Dynamic Security Code represents the dynamic CVV
  • 19. SecureEnclave • Part of the A7 and A8 chips used for Touch ID. According to Apple, within the Secure Enclave, the fingerprint data is stored in an encrypted form which can only be decrypted by a key available by the SecureEnclave thus making fingerprint data walled off from the rest of A7/A8 chip. • It’s a flashable 4MB processor named the Secure Enclave Processor (SEP). • It contains its own OS called SEP OS and there is an utility called SEPUtil that can be used to communicate with it. • It’s contained in the ramdisk of H7SURamDisk.dmg which is located in /usr/standalone/ update/ramdisk and there in /usr/libexec. • Is necessary to strip off the first 0x1b (27) bytes to make the DMG readable. RootǝdCON
  • 20. SecureEnclave • We believe that all the information being stored in the SecureEnclave is erased once the device is turned off. • Inside biometrickitd we find at memory address ‘000000010001DD3C’ a ‘bl sub_10001376c’ instruction. Such method is the one used to upload all the information to the SecureEnclave. • Probably a good starter point to figure out how things work in the SecureEnclave. RootǝdCON
  • 22. TouchID “Fingerprint recognition feature, designed by Apple and available on the iPhone 5S, 6 and 6+. Which has as purpose to allow users to unlock their device, as well as make purchases in the various Apple stores and to authenticate Apple Pay online or in apps.”
  • 23. TouchIDProcess Sense for scannable object Scan object Construct input map based on scan results Construct lower resolution input pattern Provide input pattern and template pattern Run match comparisons of input pattern and template pattern Provide identity of possible match results Run match comparison of input map with possible match identities Provide result
  • 24. Whathappensunderthehood • First Obstacle What is happening at filesystem level when the user interacts with the TouchID component and a new fingerprint is added/removed into/from the system? • Workaround FileMon utility, made by J. Levin, into steroids thanks to Pancake. Lets the user to peek behind the scenes what iOS Daemons are doing. • Goal We obtain the binaries involved and their operations performed when the Apple Pay technology or TouchID component are used.
  • 25. Identifyingbinaries • SpringBoard framework binary generates sort of interesting images. • biometrickitd daemon creates and modifies the content of a file called TemplateList.cat [E] Error copying /tmp/_private_var_root_Library_Catacomb_TemplateList.cat.tmp
  • 26. Overridingunlink carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# unlink = dlsym(RTLD_DEFAULT,“unlink") cy# unlink = @encode(void *(char *, char *))(unlink) cy# var oldu = {} cy# var log = [] cy# MS.hookFunction(unlink, function(path){ cy> log.push([path]); cy> return 0; cy> }, oldu) • Second Obstacle Unlink method avoid us from copying the resource, since it removes the link named by the path parameter from its directory right after before we can copy it. • Workaround Override its implementation and return always false. • Goal Obtain a copy of the files generated.
  • 27. dyld_shared_cache • Third Obstacle Since iPhoneOS 3.1 all default (private and public) libraries have been compiled into a big cache file. All binaries or libraries from /System/Library/ Frameworks and /System/Library/PrivateFrameworks are now located in / System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX • Workaround Makes use of jtool utility, extracting a specific binary from the cache, or dumping all the binaries at once. • Goal Access to all the binaries, and the ability to dump their classes/methods and RE their source code. jtool -extract UIKit path/to/dyld_shared_cache jtool -lv cache_armv7 | cut -c 24- | tail +5 | while read line ; do jtool -extract $line cache_armv7 ; done
  • 28. Putyourseat-belt • Fourth Obstacle The binary contains in its entitlement the sandbox profile ‘seat-belt’, which is a kernel extension that restricts a set of features from being used for some processes. • Workaround Use ldid utility to extract the entitlements and modify the ‘seat-belt’ field of a binary. • Goal The ability to attach cycript to the process and dump the information from the variables and modify its behavior at runtime <key>seatbelt-profiles</key> <array> <string>seld</string> </array> <key>tlebtaes-profiles</key> <array> <string>seld</string> </array> ThugLife
  • 29. TouchIDSecurity “The resulting map of nodes is stored without any identity information in an encrypted format that can only be read by the Secure Enclave, and is never sent to Apple or backed up to iCloud or iTunes.” Partially true
  • 30. EnablingTouchIDDebugLog • biometrickitd binary contains a string reference to ‘/var/mobile/Library/Logs/ CrashReporter/BioLog’. Such file is generated by the class ‘BioLog’ which is disabled by default • Save the following ‘com.apple.biometrickitd.plist’ file under the ‘/Library/Managed Preferences/ mobile/‘ path. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>debugLogEnabled</key> <true/> </dict> </plist>
  • 33. Binaries&methods • iOS 8.0 headers available at: http://developer.limneos.net/ • Most interesting binaries: • Biometric operations - BiometricKit.framework, biometrickitd, Preferences.app • NFC Controller - nfcd, NearField.framework, libnfshared.dylib, PN548_HAL.dylib, PN548_API.dylib, PN548.dylib • Secure enclave - seld, seputil binary (https://theiphonewiki.com/wiki/ Seputil)
  • 34. BiometricKitIdentity Represents the enrolled fingerprints on the device. Properties for the user-defined name and UUID are available.
  • 35. BLTemplateList Retrieves the template associated to each identity enrolled into the device
  • 36. TemplateInfo Retrieves information associated to each Template that represents the fingerprint.
  • 37. BioLogBase Contains all the logs dumped for the TouchID component
  • 39. TemplateList.cat • Located at /private/var/root/Library/Catacomb/ TemplateList.cat • Is the template that contains all the information about the fingerprints added into the system. • Some information is readable, but most interesting one is Base64 encoded and encrypted (?)
  • 41. GottaCatch’emall! • decodeCatacombDataV1 • pullDebugImageData • pullImageMetadata • pullMatchTopologyData • setAppleMesaSEPLoggingLevel • getData / readBinary / getApplications / getCertificates • decodeRootSecurityDomainResponse / dumpAppData
  • 44. LASecurity • LocalAuthentication Trust the OS • Keychain Trust the Secure Enclave No direct access to secure enclave No access to registered fingers No access to fingerprint image
  • 45. • Shared Libraries Check with Otool if LocalAuthentication.framework is present. • canEvaluatePolicy Preflights an authentication policy to see if its possible for authentication to succeed. • evaluatePolicy Evaluates the specified policy. Block that evaluates a boolean statement. • Policy LAPolicyDeviceOwnerAuthenticationWithBiometrics No passcode authentication Fallback to application’s own password entry UI LocalAuthenticationAPI
  • 46. TouchIDAuthentication - (void)evaluatePolicy { LAContext *context = [[LAContext alloc] init]; __block NSString *msg; // show the authentication UI with our reason string [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:NSLocalizedString(@“8=====D~", nil) reply: ^(BOOL success, NSError *authenticationError) { if (success) { msg =[NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_SUCCESS", nil)]; } else { msg = [NSString stringWithFormat:NSLocalizedString(@"EVALUATE_POLICY_WITH_ERROR", nil), authenticationError.localizedDescription]; } [self printResult:self.textView message:msg]; }]; }
  • 47. TangoDown carapene:~ root# cycript -p PID cy# @import com.saurik.substrate.MS cy# var oldm = {} cy# MS.hookMessage(LAContext, @selector(evaluatePolicy:localizedReason:reply:), function(self, reason, block) { block(YES, nil); }, oldm);
  • 53. • ApplePay technology is pretty solid, and well structure, maybe not all the statements made by Apple are true, but the global security deployed is robust. • A jailbroken device is required to at least scratch the surface, and even with that, the information obtained is not highly sensitive. • TouchID integration works better with Keychain ACLs, the integration with LocalAuthentication.framework is not recommended to protect your assets. Conclusions
  • 54. ThankYou special thanks to @abelenko, @trufae (pancake), @revskills (F. Alonso) and J. Levin (@technologeeks) Sebas Guerrero @0xroot sguerrero@nowsecure.com